Professional Documents
Culture Documents
1 Introduction
There are two categories of authenticated two-party key agreement protocols:
Password Authenticated Key Exchange (PAKE) and Authenticated Key Exchange (AKE) [9]. The former realizes authentication based on a shared password, while the latter based on public key certicates [1,2,46]. In this paper, we
focus on discussing the second category. To better dierentiate it from the rst
category, we will call it Public Key Authenticated Key Exchange (PK-AKE).
2 Past work
Many PK-AKE protocols claim to be provably secure in a formal model. Among
them, the HMQV scheme is perhaps the most well-known example [2]. In this
section, we will show two new attacks on HMQV.
The HMQV protocol is modied from MQV [6] with the primary aim for
provable security [2]. The most signcant change is that HMQV drops some
mandated verication steps in MQV, including the Proof of Possession (PoP)
check during the CA registration and the prime-order validation check of the
ephemeral public key.
Dropping the public key validations is highly controversial, despite that
HMQV has formal security proofs. In one attack, Menezes et al. demonstrated
disclosing the user's private key without violating the HMQV model denition [7, 8]. This attack indicates a aw in the original design of HMQV.
In acknowledgement of the missing public key validation, Krawczyk revised
HMQV in the submission to IEEE P1363 Standards committee [3]. He added
the following validation: Alice checks the term Y B e has the correct prime order
and Bob does the same for XAd (see [2], p. 548, for the denition of symbols.)
This change prevents the small subgroup attack in [8], but decreases the claimed
eciency. However, instead of validating the static and ephemeral public keys
separately as in MQV, the revision chooses to optimize eciency by mixing the
two operations together. This causes the problem as below.
We now report a new invalid public key attack on HMQV. For illustration,
we follow the same symbols used in the original description of HMQV (see [2],
p. 548). In both the original and revised versions of HMQV, the CA is only
required to check the submitted public key is not 0. The attack works as follows.
Assume Bob (attacker) registers a small subgroup element s Gw as the public
key where w|p 1. Bob chooses an arbitrary value z Zq . Let Y = g z s0
where s0 is an element in the same small subgroup Gw . Exhaustively, Bob tries
every element s0 in Gw such that Y B e = g z s0 se = g z . In other words, the
works like
small subgroup elements s and s0 cancel each other out. Suppose H
0
a random oracle as assumed in HMQV. Then, for each try of s , the probability
of nding s0 se = 1 is 1/w. It will be almost certain to nd such s0 after
searching all w elements in Gw (if not then change a dierent z and repeat
the procedure). Following the HMQV protocol, Bob sends Y = g z s0 to Alice.
Alice checks Y B e has the correct prime order and computes the session key
= H((Y B e )x+da ) = H(g z(x+da) ). Because Bob knows z , he can compute the
same session key and successfully authenticate himself to Alice.
The fact that an obviously invalid public key is totally undetected by all ows
in HMQV is unsettling. This raises a serious question on the basic denition of
authentication in HMQV Bob does not even have a private key, yet he is able
to successfully pass all authentication checks. In fact, anyone can do the same
pre-computation as above and authenticate to Alice as Bob. In one attacking
scenario, Bob (the attacker) may at any time suddenly repudiate all previous
authenticated transactions with Alice by telling the judge that his public key is
invalid, so anyone can impersonate him. (Bob's certicate is publicly available.)
In comparison, MQV does not have this problem.
The other attack on HMQV happens when two parties use the same certicate during self-communication [2]. Self-communication is a useful application
in practice. For example, a mobile user and the desktop computer may hold
the same static private key (registering two public key certicates costs more).
Krawczyk formally proved that self-communication is secure in HMQV [2].
However, the formal model in [2] only considers the user talking to one copy
of self, but neglects the possibility that the user may talk to multiple copies of
self at the same time. This deciency is common among other formal models
too [1, 4, 11]. The attack works as follows (also see Figure 1):
1. Alice initiates the connection to a copy of herself by sending g x . The connection is
intercepted by Mallory who pretends to be Alice-1.
connection by sending to Alice g x (this is possible because HMQV does not require
the sender to know the exponent).
3. Alice responds to Alice-2 by sending g y .
6. Mallory replays the encrypted message to Alice. (After receiving money from Alice,
Mallory disconnects both connections.)
In the above attack, we only demonstrated the attack against the two-pass
HMQV (implicit authentication). For the three-pass HMQV (explicit authentication), the attack works exactly the same. Also, we have omitted the identities
in the message ows, because they are all identical according to the HMQV
specication [2].
This attack is essentially an unknown key sharing attack. Alice thinks she
is communicating to a mobile user with the same certicate, but she is actually communicating to herself. The attacker does not hold the private key, but
he manages to establish two fully authenticated channels with Alice (server).
The same attack also applies to other PK-AKE schemes, including NAXOS [4],
KEA+ [5], CMQV [11], MQV [6], and SIG-DH [1] etc, despite that many of
them have formal security proofs.
The yak lives in the Tibetan Plateau where environmental conditions are extremely
adverse.
The sender needs to produce a valid knowledge proof to demonstrate the Proof
of Possession (PoP) of the private key. As an example, we can use Schnorr's
signature, which is provably secure in the random oracle model [9]. Let H be a
secure hash function. To prove the knowledge of the exponent for X = g x , one
sends {SignerID, OtherInfo, V = g v , r = v x h} where SignerID is the unique
user identier (also called Distinguished Name [10]), OtherInfo includes auxiliary
information to indicate this is a request for certifying a static public key and
may include other practical information such as the name of the algorithm etc,
v R Zq and h = H(g, V, X, SignerID, OtherInfo). The CA checks that X has
prime order q and veries that V = g r X h (computing g r X h requires roughly
one exponentiation using the simultaneous computation technique [9]).
for x. Similarly, Bob selects y Zq and sends out g y with a knowledge proof
for y .
When this round of communication nishes, Alice and Bob verify the received
knowledge proof to ensure the other party possesses the ephemeral private key.
They also need to ensure the identity (i.e., SignerID) in the knowledge proof
must match the one in the public key certicate.
Upon successful verication, Alice computes a session key = H((g y
g b )x+a ) = H(g (x+a)(y+b) ). And Bob computes the same session key: = H((g x
g a )y+b ) = H(g (x+a)(y+b) ).
In YAK, Alice needs to perform the following exponentiations: one to compute an ephemeral public key (i.e., g x ), one to compute the knowledge proof for
x (i.e., g vx ), two to verify the knowledge proof for the exponent of Y = g y (i.e.,
Y q and g ry Y hy ) and nally one to compute the session key (Y B)x+a . Thus,
that is ve in total: {g x , g vx , Y q , g ry Y hy , (Y B)x+a }.
Among the above operations, some are merely repetitions. To explain this,
let the bit length of the exponent be L = log2 q . Then, computing g x alone would
require roughly 1.5L multiplications which include L square operations and 0.5L
multiplications of the square terms. However, the same square operations need
not be repeated for other items with the common base. If we factor this in, it will
take (1+0.53)L = 2.5L to compute {g x , g vx , g ry }, and another (1+0.52)L =
2L to compute {Y q , Y hy } and nally 1.5L to compute (Y B)x+a . Hence, that
is in total 6L, which is equivalent to 6L/1.5L = 4 usual exponentiations. This
is quite comparable to the 3.5 exponentiations in MQV (which cannot reuse the
square terms since the bases are dierent).
4 Security analysis
We formulate the following requirements for the PK-AKE protocol.
1. Private key security: An attacker cannot learn any useful information
about the user's static private key even if he is able to learn all session
specic secrets in any session.
2. Full forward secrecy: Session keys that were securely established in the
past uncorrupted sessions will remain incomputable in the future even when
both users' static private keys are disclosed.
3. Session key security: An attacker cannot compute the session key if he
impersonates a user but has no access to the user's private key.
The rst requirement is generally not covered by a formal model, but we
think it is crucially important. For example, both the SIG-DH [1] and (original)
HMQV [2] protocols have been formally proven secure in the CK model. Yet
attacks reported in [4] and [8] show that in both protocols, an attacker is able
to disclose the user's private key. In the second requirement, we use full to
distinguish it from the half forward secrecy, which only allows one user's private
key to be revealed (e.g., KEA+ [5]). The third requirement has already covered
the Key Compromise Impersonation (KCI) attack [6]. The invalid public key
attack in Section 2 indicates that HMQV does not satisfy this property.
The goal of our design is to make the best use of well-established techniques
such as Schnorr's signature. This strategy allows us to leverage upon the provable
results of Schnorr's signature (see [9]), and thus greatly simplify the security
analysis. In the following, we will provide a simple and intuitive analysis, while
leaving detailed proofs to a full paper.
First, let us discuss the private key security. Without loss of generality, we
assume Alice is honest. As shown in Figure 2 (1), Mallory totally controls Bob's
static and ephemeral private keys. Additionally, he has the extreme power that
allows him to learn Alice's transient secrets in an arbitrary session. The only
power that he does not have is the access to Alice's private key.
A sketch of the proof goes as follows. The knowledge proofs dened in YAK
prove that Mallory (the attacker) knows the value of y and b. He also knows
knowledge proof in the protocol proves that Mallory also knows the value y .
Hence, he can compute g ab , g ay and g xy . Now, we can solve the CDH problem as
follows: given g b and g x where x, b R Zq , we use Mallory as an oracle to compute
g bx = Z/(g ab g ay g xy ). This, however, contradicts the CDH assumption, which
shows YAK satises the session key security requirement.
5 Self-communication
The user identity is an important parameter in the protocol denition. In the
past literature, almost all PK-AKE protocols use the Distinguished Name (DN)
in the user's X.509 certicate as the user identity [1, 2, 46]. This practice also
carries over to the self-communication mode [2], which causes the wormhole
attack (see Section 2). In the self-communication mode, the two parties are still
distinct entities and hence, naturally require dierent identities.
To enable self-communication in YAK, we need to ensure the SignerID in
the Schnorr's signature remains unique. This is to prevent Bob from replaying
Alice's signature back to Alice and vice versa. One solution is to simply attach
an additional identier to the mobile stations using the same certicate. For
example, when Alice (server) is communicating to the nth copy of herself (mobile
station), Alice uses Alice as her SignerID to generate the Schnorr's signature
and the nth copy uses Alice-n as its SignerID. Thus, Alice-n cannot replay
Alice's signature back to Alice and vice versa. This solution is also generically
applicable to x the self-communication problem in past protocols [1, 2, 46].
Though self-communication is considered a useful feature [2], one should be
careful to enable this feature only when it is really needed. This is because, when
enabled, it may have negative impact on the theoretical security. In Section 4,
under the private key security, we have explained that, under normal operations
(using dierent certicates a 6= b), an attacker cannot learn g aa from a corrupted
session. However, if self-communication is enabled in YAK, we essentially allow
a = b, hence the attacker can learn g aa from a corrupted session. This implies we
would need a stronger assumption than CDH to prove the session key security.
This is undesirable, but to our best knowledge, no PK-AKE protocol is reducible
to the CDH assumption with the self-communication enabled. In comparison,
in HMQV [2], the attacker can learn g aa from a corrupted session regardless
whether the self-communication is enabled.
6 Conclusion
In this paper, we report two new attacks on the HMQV protocol. In addition, we
present a new authenticated key agreement protocol called YAK, and analyze
its robustness in an extremely adverse condition: the only powers that an attacker does not have are those that would allow him to trivially break any other
protocols. Overall, YAK demonstrates robust security under the Computational
Die-Hellman assumption in the random oracle model.
Acknowledgment
We thank Alfred Menezes and Berkant Ustaoglu for their generous advice and
invaluable comments. We thank Lihong Yang for helping improve the readability.
References
1. Canetti, R., Krawczyk, H.: Analysis Of Key-Exchange Protocols And Their Use For
Building Secure Channels. In: Ptzmann, B. (ed.) Eurocrypt 2001. LNCS, vol. 2045,
pp. 453-474. Springer, Heidelberg (2001)
2. Krawczyk, H.: HMQV: A High-Performance Secure Die-Hellman Protocol. In:
Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546-566. Springer, Heidelberg
(2005). The full version (2005), http://eprint.iacr.org/2005/176.pdf
3. Krawczyk, H.: HMQV in IEEE P1363. Submission to the IEEE P1363 Standardization Working Group, (2006). http://grouper.ieee.org/groups/1363/
P1363-Reaffirm/submissions/krawczyk-hmqv-spec.pdf
4. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger Security Of Authenticated Key
Exchange. In: Susilo, W. et al. (eds.) Provable Security 2007. LNCS, vol. 4784, pp.
1-16. Springer, Heidelberg (2007)
5. Lauter, K., Mityagin, A.: Security Analysis Of KEA Authenticated Key Exchange
Protocol. In: Yung, M. (ed.) PKC 2006. LNCS, vol. 3958, pp. 378-394. Springer,
Heidelberg (2006)
6. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An Ecient Protocol For
Authenticated Key Agreement. Designs, Codes and Cryptography 28 (2), 119-134
(2003)
7. Menezes, A.: Another Look At HMQV. J. of Mathematical Cryptology 1(1), 47-64,
(2007)
8. Menezes, A., Ustaoglu, B.: On The Importance Of Public-Key Validation In The
MQV And HMQV Key Agreement Protocols. In: INDOCRYPT 2006. Barua, R.,
Lange, T. (eds.) LNCS, vol. 4329, pp. 133-147. Springer, Heidelberg (2006)
9. Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook Of Applied Cryptography.
CRC Press (1996)
10. Mitchell, C.: Security For Mobility. The Institution of Electrical Engineers (2004)
11. Ustaoglu, B.: Obtaining A Secure And Ecient Key Agreement Protocol For
(H)MQV And NAXOS. Designs, Codes and Cryptography 46 (3), 329-342 (2008)